What is Identity Threat Detection and Response (ITDR)?

Introduction to ITDR

The proliferation of cloud computing and cloud-hosted software introduced game-changing advantages to organisations. Whilst it’s true that remote access and VPN solutions had been around for decades, cloud solutions like Microsoft 365 enabled an organisation to give access to company resources from anywhere, on any device, and at any time – for employees and partners alike. This concept is, of course, powered by Microsoft Entra.

Advancements in cloud identity over the last five years have cemented the fact that an organisational identity is the new security perimeter. Firewalls and VPN configurations still have their place in many organisations but more importantly than ever, identities should be treated and protected as foundational pieces in the security story. Enter the concept of Identity Threat Detection and Response, or ITDR for short.

ITDR as a concept

ITDR isn’t just a term that describes how a partner like Quorum Cyber would keep an eye on an organisation’s identities, making sure they’ve not been compromised and using identity signals to enrich a detection and response service. Instead, ITDR expands the concept of identity protection to ensure that the underlying identity systems themselves remain free from compromise. After all, how can you trust an authorisation or authentication if the platform performing that function has been infiltrated?

Successfully implementing ITDR is rooted in clearly defining the roles and responsibilities of both identity admins and security teams and ensuring that their work is performed in a complementary manner rather than in silos. The familiarity that identity admins have of an environment can often prove vitally important in the event of an identity compromise. Conversely, security teams gain insights through their investigations and can loop feedback to identity teams to make improvements and improve an organisation’s resilience to attacks. You can read more about Microsoft’s own definition of ITDR, or, for a more technical viewpoint, check out Yaron Paryanty’s blog on the subject. Yaron and I worked extensively on the various parts of the ITDR mosaic during my time at Microsoft.

How Quorum Cyber interprets ITDR

From the standpoint of a security partner, we see ITDR as a mechanism that protects all identities in an organisation, human or machine, with a focus on limiting the blast radius of privileged accounts. These are the kinds of accounts that attackers will strive to compromise to cover their tracks, attain a stronger foothold in the environment, or to cause enormous amounts of damage. Imagine a compromised account that can introduce a new Conditional Access policy that can bypass multi-factor authentication (MFA) requests from unknown network locations. This is the kind of compromise that I described earlier, where the very mechanisms that security and identity teams put in place are hijacked to work against the organisation they’re supposed to protect.

Elevating protections to achieve this goal can be achieved in numerous ways, from preventative posture improvement actions, to implementing tools and solutions that enforce core tenants of Zero Trust methodologies. And, of course, because Quorum Cyber is a world-class detection and response (and incident response) specialist and a Microsoft Solutions Partner for Security, if any of these protective measures raise a suspicion, a ticket can be triaged, investigated, and concluded in next to no time. All of this is powered by Microsoft technology and Quorum Cyber’s expertise.

Why not join the ITDR club?

We’re in the middle of piloting this Managed ITDR service with some customers right now. Once this pilot process has concluded, we’ll be welcoming any organisation to onboard our Managed ITDR service to help them win in the identity protection space.